Tageszusammenfassung - 14.11.2023

End-of-Day report

Timeframe: Montag 13-11-2023 18:00 - Dienstag 14-11-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer

News

CISA warns of actively exploited Juniper pre-auth RCE exploit chain

CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain. The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-juniper-pre-auth-rce-exploit-chain/

ChatGPT, Bard und andere: KI-Systeme ermöglichen Ausleiten von Daten

Durch gezielte Abfragen lassen sich private und geschützte Daten aus KI-Systemen ausleiten. Die Angriffe zeigen ein prinzipielles Problem.

https://www.golem.de/news/chatgpt-bard-und-andere-ki-systeme-ermoeglichen-ausleiten-von-daten-2311-179405.html

Noticing command and control channels by reviewing DNS protocols, (Mon, Nov 13th)

Malicious software pieces installed in computers call home. Some of them can be noticed because they perform DNS lookup and some of them initiates connection without DNS lookup. For this last option, this is abnormal and can be noticed by any Network Detection and Response (NDR) tool that reviews the network traffic by at least two weeks. Most companies do not have money to afford a NDR, so I'm going to show you today an interesting tip that have worked for me to notice APT calling home when they perform DNS lookup.

https://isc.sans.edu/diary/rss/30396

Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain

The algorithms are used by TETRA - short for the Terrestrial Trunked Radio protocol - and they are operated by governments, law enforcement, military and emergency services organizations in Europe, the UK, and other countries.

https://go.theregister.com/feed/www.theregister.com/2023/11/14/tetra_encryption_algorithms_open_sourced/

Novel backdoor persists even after critical Confluence vulnerability is patched

Got a Confluence server? Listen up. Malware said to have wide-ranging capabilities. A new backdoor was this week found implanted in the environments of organizations to exploit the recently disclosed critical vulnerability in Atlassian Confluence.

https://go.theregister.com/feed/www.theregister.com/2023/11/14/novel_backdoor_persists_confluence/

Nothing new, still broken, insecure by default since then: Pythons e-mail libraries and certificate verification

Today, basically every e-mail provider supports TLS for their services and programmatically accessing e-mail services with Python code using TLS-wrapped clients is common. Python offers three libraries shipped with a standard installation for handling e-mail transfer. These modules are smtplib, imaplib, and poplib. While Python programming is usually straightforward, using these Python libraries require passing a magic parameter in the right way to use secure communication.

https://www.pentagrid.ch/en/blog/python-mail-libraries-certificate-verification/

LockBit ransomware group assemble strike team to breach banks, law firms and governments.

[...] I thought it would be good to break down what is happening and how they-re doing it, since LockBit are breaching some of the world-s largest organisations - many of whom have incredibly large security budgets. Through data allowing the tracking of ransomware operators, it has been possible to track individual targets. Recently, it has become clear they have been targeting a vulnerability in Citrix Netscaler, called CitrixBleed.

https://doublepulsar.com/lockbit-ransomware-group-assemble-strike-team-to-breach-banks-law-firms-and-governments-4220580bfcee

CVE Half-Day Watcher

CVE Half-Day Watcher is a security tool designed to highlight the risk of early exposure of Common Vulnerabilities and Exposures (CVEs) in the public domain. It leverages the National Vulnerability Database (NVD) API to identify recently published CVEs with GitHub references before an official patch is released. By doing so, CVE Half-Day Watcher aims to underscore the window of opportunity for attackers to "harvest" this information and develop exploits.

https://github.com/Aqua-Nautilus/CVE-Half-Day-Watcher

Vorsicht vor Jobangeboten per SMS oder WhatsApp

Unerwartet erhalten Sie eine Nachricht von einer Personalvermittlungsagentur: Ihnen wird ein Job angeboten. Die Bezahlung ist gut und die Arbeitszeiten sind flexibel. Es geht darum, Hotels und Touristenattraktionen zu bewerten. Bei Interesse sollten Sie dem Arbeitgeber eine WhatsApp-Nachricht schicken. Ignorieren Sie dieses Jobangebot, es handelt sich um Betrug!

https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-sms-oder-whatsapp/

Ddostf DDoS Bot Malware Attacking MySQL Servers

The ASEC analysis team has recently discovered that the Ddostf DDoS bot is being installed on vulnerable MySQL servers. Ddostf is a DDoS bot capable of conducting Distributed Denial of Service (DDoS) attacks on specific targets and was first identified around 2016.

https://asec.ahnlab.com/en/58878/

A Closer Look at ChatGPTs Role in Automated Malware Creation

This blog entry explores the effectiveness of ChatGPTs safety measures, the potential for AI technologies to be misused by criminal actors, and the limitations of current AI models.

https://www.trendmicro.com/en_us/research/23/k/a-closer-look-at-chatgpt-s-role-in-automated-malware-creation.html

Malicious Abrax666 AI Chatbot Exposed as Potential Scam

As of now, based on the information regarding the sale of the Abrax666 AI Chatbot, cybersecurity researchers are of the opinion that the chatbot is most likely a scam.

https://www.hackread.com/abrax666-ai-chatbot-exposed-as-potential-scam/

Vulnerabilities

Siemens Security Advisories

Siemens has released 14 new and 18 updated Security Advisories.

https://www.siemens.com/global/en/products/services/cert.html?d=2023-11#SiemensSecurityAdvisories

Xen Security Advisory CVE-2023-46835 / XSA-445 - x86/AMD: mismatch in IOMMU quarantine page table levels

A device in quarantine mode can access data from previous quarantine page table usages, possibly leaking data used by previous domains that also had the device assigned.

https://xenbits.xen.org/xsa/advisory-445.html

Xen Security Advisory CVE-2023-46836 / XSA-446 - x86: BTC/SRSO fixes not fully effective

An attacker in a PV guest might be able to infer the contents of memory belonging to other guests.

https://xenbits.xen.org/xsa/advisory-446.html

SAP Security Patch Day -November2023

On 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. Further, there were 3 updates to previously released Security Notes.

https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Security updates for Tuesday

Security updates have been issued by Debian (postgresql-11, postgresql-13, and postgresql-15), Fedora (chromium, optipng, and radare2), Scientific Linux (plexus-archiver and python), Slackware (tigervnc), SUSE (apache2, containerized-data-importer, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql, postgresql15, postgresql16, postgresql12, postgresql13, python-Django1, squashfs, and xterm), and Ubuntu (firefox and memcached).

https://lwn.net/Articles/951311/

ICS Patch Tuesday: 90 Vulnerabilities Addressed by Siemens and Schneider Electric

Siemens and Schneider Electric-s Patch Tuesday advisories for November 2023 address 90 vulnerabilities affecting their products.

https://www.securityweek.com/ics-patch-tuesday-90-vulnerabilities-addressed-by-siemens-and-schneider-electric/

Mattermost security updates 9.1.3 / 9.0.4 / 8.1.6 (ESR) / 7.8.15 (ESR) released

The security update is available for Mattermost dot releases 9.1.3, 9.0.4, 8.1.6 (Extended Support Release), and 7.8.15 (Extended Support Release), for both Team Edition and Enterprise Edition.

https://mattermost.com/blog/mattermost-security-updates-9-1-3-9-0-4-8-1-6-esr-7-8-15-esr-released/

TYPO3-CORE-SA-2023-007: By-passing Cross-Site Scripting Protection in HTML Sanitizer

https://typo3.org/security/advisory/typo3-core-sa-2023-007

TYPO3-CORE-SA-2023-006: Weak Authentication in Session Handling

https://typo3.org/security/advisory/typo3-core-sa-2023-006

TYPO3-CORE-SA-2023-005: Information Disclosure in Install Tool

https://typo3.org/security/advisory/typo3-core-sa-2023-005

IBM Integration Bus is vulnerable to multiple CVEs due to Apache Tomcat.

https://www.ibm.com/support/pages/node/7072626

IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities (CVE-2023-2828, CVE-2023-24329, CVE-2022-4839)

https://www.ibm.com/support/pages/node/7073360

IBM Security Guardium is affected by multiple OS level vulnerabilities

https://www.ibm.com/support/pages/node/7073592

AVEVA Operations Control Logger

https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-01

Rockwell Automation SIS Workstation and ISaGRAF Workbench

https://www.cisa.gov/news-events/ics-advisories/icsa-23-318-02